Project

General

Profile

Feature #962

Can I log the mac address of the source?

Added by 冠宇 陳 over 7 years ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Knowing the mac address can help us about knowing the attacker. So can suricata log the mac address? Like the -e option in snort? Thanks for help.


Related issues

Related to Task #2309: SuriCon 2017 brainstormNewVictor JulienActions
Related to Bug #1711: Ethernet Header Missing From JSON Packet FieldNewOISF DevActions
#1

Updated by Victor Julien over 7 years ago

We don't have a similar option. How are the mac addresses logged with -e in Snort?

#2

Updated by Victor Julien over 7 years ago

  • Target version set to TBD
#3

Updated by Song Liu about 7 years ago

In NFQ mode, we don't have MAC address, because it is layer 3.

#4

Updated by Andreas Herz almost 5 years ago

That's a feature request. Did anyone already looked into that? I did just test it with snort in sniffer mode (-vCd -i $DEVICE -e) which we don't have exactly, but could be useful in normal IDS mode as well.

#5

Updated by Andreas Herz almost 5 years ago

  • Tracker changed from Support to Feature
  • Assignee set to OISF Dev
#6

Updated by Victor Julien about 3 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Eric Leblond
  • Target version changed from TBD to 70
#7

Updated by Victor Julien about 3 years ago

  • Related to Task #2309: SuriCon 2017 brainstorm added
#8

Updated by Victor Julien almost 3 years ago

At the team meeting in Amsterdam 2018 we agreed on the following:

for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)

Alerts will log based on packet, but can add mac addrs from flow too.

#9

Updated by Raymond Hansen about 2 years ago

  • Assignee changed from Eric Leblond to Sascha Steinbiss
#10

Updated by Victor Julien over 1 year ago

  • Related to Bug #1711: Ethernet Header Missing From JSON Packet Field added
#11

Updated by Sascha Steinbiss 11 months ago

Just taking a look at this atm.

for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)

Alerts will log based on packet, but can add mac addrs from flow too.

I am wondering how to decide whether something is to be logged as flow or packet. Would it be enough to look at p->flow in CreateJSONHeader and see if the *pktcnt values there indicate >1 packet?

Also, am I correct in assuming that in order to log a list of MAC addresses, one would need to gather and update that during packet->flow assignment? Can you suggest a good suitable place to do that in the code? FlowHandlePacketUpdate?

Thanks!

#12

Updated by Sascha Steinbiss 11 months ago

Sascha Steinbiss wrote in #note-11:

Just taking a look at this atm.

for packets, log mac src/dst as a scalar field in eve
for flows, log mac src/dst as lists in eve
field names should be different to avoid type confusion (e.g. src_mac vs src_macs?)

Alerts will log based on packet, but can add mac addrs from flow too.

I am wondering how to decide whether something is to be logged as flow or packet. Would it be enough to look at p->flow in CreateJSONHeader and see if the *pktcnt values there indicate >1 packet?

Also, am I correct in assuming that in order to log a list of MAC addresses, one would need to gather and update that during packet->flow assignment? Can you suggest a good suitable place to do that in the code? FlowHandlePacketUpdate?

I think I've at least found a starting point: https://github.com/satta/suricata/commit/ac09ed3d3b85c76c0bb38795efcb0ab11466f67b

#13

Updated by Victor Julien 6 months ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 6.0.0beta1

Also available in: Atom PDF